During setup, on the security configuration page, you will be required to use bearer authentication; this is the only method of authentication Auth0 supports. You can generate a token value by clicking the circular arrows, or supply your own.
A section titled "Bearer Authentication" is shown. To the right of a "Bearer Token Value" field there is a button with two arrows arranged in a circle, and this button is circled.
Do not proceed to the next step until the creation of your HTTP endpoint has completed.
Step 2: Create a new Log Stream in Auth0
Log in to your Auth0 tenant.
From the dashboard, navigate to Monitoring > Streams.
Click Create Stream.
Select Custom Webhook.
Give your Event Stream a descriptive name, e.g., Panther Log Stream.
In the Payload URL field, paste the URL for the Auth0 HTTP source in Panther you generated in the previous step of this process.
In the Authorization Token field, enter the bearer token you used in Step 1, being sure to include Bearer . The complete format should be Bearer <token value>.
```yaml
schema: Auth0.Events
description: Event logs from Auth0 Log Stream
referenceURL: https://auth0.com/docs/deploy-monitor/logs
fields:
- name: log_id
required: true
description: The ID of the log.
type: string
- name: asdfg
type: array
validate:
allow: ['authentication']
element:
type: string
- name: data
required: true
description: The data object containing information about the log.
type: object
fields:
- name: date
description: Date/Time when the event occurred.
type: timestamp
isEventTime: true
timeFormats:
- rfc3339
- name: type
description: Type of event.
type: string
- name: description
description: Description of this event.
type: string
- name: connection
description: Name of the connection the event relates to.
type: string
- name: connection_id
description: ID of the connection the event relates to.
type: string
- name: client_id
description: ID of the client (application).
type: json
- name: client_name
description: Name of the client (application).
type: string
- name: ip
description: IP address of the log event source.
indicators:
- ip
type: string
- name: client_ip
type: string
description: IP address of the client which caused the event.
indicators:
- ip
- name: hostname
description: Hostname the event applies to.
type: string
- name: user_id
description: ID of the user involved in the event.
type: string
indicators:
- username
- name: user_name
description: Name of the user involved in the event.
type: json
- name: audience
description: API audience the event applies to.
type: string
- name: scope
description: Scope permissions applied to the event.
type: json
- name: strategy
description: Name of the strategy involved in the event.
type: string
- name: strategy_type
description: Type of strategy involved in the event.
type: string
- name: details
description: Additional useful details about this event (structure is dependent upon event type).
type: json
- name: log_id
description: Unique ID of the event.
type: string
- name: is_mobile
description: Whether the client was a mobile device (true) or desktop/laptop/server (false).
type: boolean
- name: user_agent
description: User agent string from the client device that caused the event.
type: string
- name: location_info
description: Information about the location that triggered this event based on the IP.
type: object
fields:
- name: country_code
description: Two-letter Alpha-2 ISO 3166-1 country code.
type: string
- name: country_code3
description: Three-letter Alpha-3 ISO 3166-1 country code.
type: string
- name: country_name
description: Full country name in English.
type: string
- name: city_name
description: Full city name in English.
type: string
- name: latitude
description: Global latitude position.
type: float
- name: longitude
description: Global longitude position.
type: float
- name: time_zone
description: Time zone name as found in the tz database.
type: string
- name: continent_code
description: Two-letter continent code.
type: string
```
